DMVPN problem with NAT

Share

We are running DMVPN EIGRP topology in our network. The DMVPN hub aggregates all the spoke router networks via the tunnel. ALso the Spoke routers allow internet traffic by using NAT and only private traffic flows through the DMVPN tunnel. The IPSec is up and running fine and EIGRP works good. Serial int overload for NAT is configured.

Brief configs on Hub and Spoke are as below:

Spoke router:

------------

interface Tunnel0

description VPN tunnel

bandwidth 400

ip address 172.28.1.159 255.255.252.0

ip nhrp authentication xxx

ip nhrp map 172.28.1.1 6x.xx.x.x

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 172.28.1.1

ip summary-address eigrp 100 10.159.0.0 255.255.0.0 5

delay 40000

qos pre-classify

tunnel source Serial0/0/1:0

tunnel destination 6x.xx.x.x

tunnel key xxxx

tunnel protection ipsec profile pppp

Hub Router:

----------

interface Tunnel0

bandwidth 100000

ip address 172.28.1.1 255.255.252.0

no ip redirects

ip nhrp authentication xxx

ip nhrp map multicast dynamic

ip nhrp network-id 100002

ip nhrp holdtime 360

no ip split-horizon eigrp 100

load-interval 30

delay 40000

qos pre-classify

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key xxxx

tunnel protection ipsec profile pppp

Rt#sh ip nat trans | i :500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

The problem is when I get this entry in the NAT table of Spoke router, Crypto breaks and EIGRP goes down on the spoke router and DMVPN tunnel is completely down.

10.159.99.251 is gig0/0.99 private ip of the spoke router. I am not sure why we have some many entries for this UDP 500 ISAKMP connection instead of just one.

This happens even if any PC behind the Spoke router tries to establish IPSec connection with the hub router( which is not at all necessary)